SANS ISC InfoSec Forums

ISC handlers have written several reports this past week dealing with malware that redirect a client to download suspicious files from sites that we often want to block. It is common for malware to use evading techniques such as fast flux to avoid being blocked by constantly changing the IP(s). However, the website name remains static and this is where DNS sinkhole comes in to play.

A way to deal with this is to resolve the address before it leaves your site to get a response from the DNS site owner. Several lists already exist on the Internet that can be used to populate a sinkhole.

The first step is to add a configuration file to the /etc/named.conf. For example, add:

include "/var/named/sink_local.conf";

Run the command "named-checkconf" to make sure you have no errors in your named.conf file.

The second step is to edit (or create it of not already done) the sink_local.conf file in the /var/named directory and add to the sinkhole the malicious site. For example, we are going to use the site published in Patrick's Diary http://isc.sans.org/diary.html?storyid=7918our.org.molendf.co.kr. Add in sink_local.conf the following line:

Third, you need to create the master file in the new sinkhole directory /var/named/sinkhole/redirect.nowhere that will redirect the client to the sinkhole address. This file never changes and remains static. I have called my file redirect.nowhere which I think is only fitting. Here is an example of this file:

The IP address I have assigned here is an IP that can be used to alert on. For example, this IP can be a website to show a policy page. This will only work if the client is attempting to contact a website. Add this IP (192.168.25.5) to your IDS/IPS to alert every time a PC connects to it (on any ports). The security team can verify the PC for signs of system compromise.

Last, reload your zone for your new list to take effect by executing "rndc reconfig"

Make sure the clients are now using the name server that has been configured with the sinkhole. The final step is to test the configuration to ensure the clients are resolving the malicious sites using our sinkhole address:

This can be expended using other trusted list. For example, you could use the SRI "Most Observed Malware-Related DNS Names" list and add a new include option in the named.conf like sri.conf in the /var/named directory and populate with the list. This could be scripted to update daily to keep the list up-to-date. This adds another layer of defense you can control.

If you know of other lists that could populate a sinkhole, I will add them later to this diary.

Update: The Malware Domain List provides a list of website currently serving malware as well as a description (i.e. Trojan, PDF exploit, etc).

I would recommend using the current Zeus Domain Blocklist -
https://zeustracker.abuse.ch/blocklist.php
Not sure if the terms of service would allow Malware URL text file to be automated, but I believe you could download it once every week/month -
http://www.malwareurl.com/index.php
Great article Guy =)

There are some issues to consider before blacklisting whole domains.
a) What is the provenance of the data source?
b) Do we trust that every domain on the blacklist should be there?
c) What happens when a domain gets de-listed from the blacklist (how soon will this propagate)?
d) What if bona-fide domain(s) gets onto the blacklist either by accident or as a deliberate malevolent action?

See also: http://www.malwaredomains.com/wordpress/?page_id=6

It is also useful to configure a webserver (I use Apache) at the re-directed IP address (of the "sink hole") becausze this will provide additional information in the Apache logs.

yoyo.org offers a list of adservers in multiple formats, one of which is a bind zone file. So yes, it's the same thing except that the localhost address in their zone file can't be used for logging or IDS.